{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "Apache Ivy",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "*",
              "status": "affected",
              "version": "2.4.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "This issue was discovered by Kostya Kortchinsky of the Databricks Security Team."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "With Apache Ivy 2.4.0 an optional packaging attribute has been\nintroduced that allows artifacts to be unpacked on the fly if they used\npack200 or zip packaging.\n\nFor artifacts using the \"zip\", \"jar\" or \"war\" packaging Ivy prior to\n2.5.1 doesn't verify the target path when extracting the archive. An\narchive containing absolute paths or paths that try to traverse\n\"upwards\" using \"..\" sequences can then write files to any location on\nthe local fie system that the user executing Ivy has write access to.\n\nIvy users of version 2.4.0 to 2.5.0 should upgrade to Ivy 2.5.1."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "medium"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "allow create/overwrite any file on the syste",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "orgId": "Not found",
        "shortName": "Not found"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://lists.apache.org/thread/gqvvv7qsm2dfjg6xzsw1s2h08tbr0sdy"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Ivy allows creating/overwriting any file on the system",
      "x_ValidationErrors": [
        "$.cveMetadata.assignerOrgId -- validator = pattern",
        "$.containers.cna.providerMetadata.orgId -- validator = pattern"
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CNA_private": {
          "CVE_list": [],
          "CVE_table_description": [],
          "email": "",
          "emailed": "",
          "internal_comments": "",
          "owner": "ant",
          "publish": {
            "month": "",
            "year": "",
            "ym": ""
          },
          "share_with_CVE": true,
          "todo": [],
          "userslist": "dev@ant.apache.org"
        },
        "CVE_data_meta": {
          "AKA": "",
          "ASSIGNER": "security@apache.org",
          "DATE_PUBLIC": "",
          "ID": "CVE-2022-37865",
          "STATE": "PUBLIC",
          "TITLE": "Apache Ivy allows creating/overwriting any file on the system"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Ivy",
                      "version": {
                        "version_data": [
                          {
                            "platform": "",
                            "version_affected": ">=",
                            "version_name": "",
                            "version_value": "2.4.0"
                          },
                          {
                            "platform": "",
                            "version_affected": "<=",
                            "version_name": "",
                            "version_value": "2.5.0 +1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "configuration": [],
        "credit": [
          {
            "lang": "eng",
            "value": "This issue was discovered by Kostya Kortchinsky of the Databricks Security Team."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "With Apache Ivy 2.4.0 an optional packaging attribute has been\nintroduced that allows artifacts to be unpacked on the fly if they used\npack200 or zip packaging.\n\nFor artifacts using the \"zip\", \"jar\" or \"war\" packaging Ivy prior to\n2.5.1 doesn't verify the target path when extracting the archive. An\narchive containing absolute paths or paths that try to traverse\n\"upwards\" using \"..\" sequences can then write files to any location on\nthe local fie system that the user executing Ivy has write access to.\n\nIvy users of version 2.4.0 to 2.5.0 should upgrade to Ivy 2.5.1."
            }
          ]
        },
        "exploit": [],
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "medium"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "allow create/overwrite any file on the syste"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "",
              "refsource": "CONFIRM",
              "url": "https://lists.apache.org/thread/gqvvv7qsm2dfjg6xzsw1s2h08tbr0sdy"
            }
          ]
        },
        "solution": [],
        "source": {
          "advisory": "",
          "defect": [],
          "discovery": "UNKNOWN"
        },
        "timeline": [],
        "work_around": []
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "Not found",
    "assignerShortName": "Not found",
    "cveId": "CVE-2022-37865",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.0"
}